A wireless communications network includes access points and wireless nodes. Each access point and each wireless node has a respective authentication token and address associated therewith. The access points and wireless nodes communicate using packets, where each packet includes an authentication token, an origination address and a destination address. During the communications, the access points read and store the respective authentication tokens and origination addresses in the packets wirelessly transmitted from the wireless nodes for defining an allowed wireless node list. Likewise, each wireless node reads and stores the respective authentication tokens and origination addresses wirelessly transmitted from the access points for defining an allowed access point list. The wireless nodes and access points do not associate with an attacker if both an authentication token and an address associated with the attacker are not on the respective allowed access point and wireless node lists.
|
1. A wireless communications network comprising:
at least one access point having a respective authentication token and address associated therewith;
a plurality of wireless nodes for communicating with said at least one access point, each wireless node having a respective authentication token and address associated therewith;
said at least one access point and said plurality of wireless nodes communicating using packets, each packet comprising an authentication token, an origination address and a destination address; and
during the communicating, said at least one access point reading and storing the respective authentication tokens and origination addresses for each received packet that was wirelessly transmitted from said plurality of wireless nodes for defining an allowed wireless node list;
during the communicating, each wireless node reading and storing the respective authentication tokens and origination addresses for each received packet that was wirelessly transmitted from said at least one access point for defining an allowed access point list;
said at least one access point monitoring packets being wirelessly transmitted within the wireless communications network by reading the originating addresses of each transmitted packet, and when a read origination address matches the address of said at least one access point, and said at least one access point did not transmit the packet, then a determination is made by said at least one access point that an attacker is impersonating said at least one access point; and
said at least one access point transmits a warning message by increasing its transmits power to drown out transmission by the attacker.
15. A method for detecting impersonating attacks in a wireless communications network comprising at least one access point and a plurality of wireless nodes, the at least one access point and each wireless node having a respective authentication token and address associated therewith, the method comprising:
wirelessly transmitting packets from the at least one access point to the plurality of wireless nodes, each packet comprising an authentication token, an origination address and a destination address;
reading and storing by each wireless node the respective authentication tokens and origination addresses for each received packet from each access point for defining an allowed access point list;
wirelessly transmitting packets from the plurality of wireless nodes to the at least one access point, each packet comprising an authentication token, an origination address and a destination address;
reading and storing by the at least one access point the respective authentication tokens and origination addresses for each received packet for the plurality of wireless nodes for defining an allowed wireless node list; and
operating the at least one access point to monitor packets being wirelessly transmitted within the wireless communications network by reading the originating addresses of each transmitted packet, and when a read origination address matches the address of the at least one access point, and the at least one access point did not transmit the packet, then a determination is made by the at least one access point that an attacker is impersonating the at least one access point, and the at least one access point transmits a warning message by increasing its transmits power to drown out transmission by the attacker.
2. A wireless communications network according to
3. A wireless communications network according to
4. A wireless communications network according to
5. A wireless communications network according to
6. A wireless communications network according to
7. A wireless communications network according to
8. A wireless communications network according to
9. A wireless communications network according to
10. A wireless communications network according to
11. A wireless communications network according to
12. A wireless communications network according to
13. A wireless communications network according to
14. A wireless communications network according to
16. A method according to
17. A method according to
18. A method according to
19. A method according to
20. A method according to
21. A method according to
22. A method according to
23. A method according to
24. A method according to
25. A method according to
26. A method according to
|
|||||||||||||||||||||||||||||
This application claims the benefit of U.S. Provisional Application Ser. No. 60/731,070 filed Oct. 28, 2005, the entire contents of which are incorporated herein by reference.
The present invention relates to the field of wireless communication systems, and more particularly, to preventing impersonating attacks on a wireless node operating in an authenticated network.
Wireless systems have long suffered from man-in-the-middle, session hijacking and other similar attacks that rely on the ability to impersonate a legitimate party. Approaches so far have focused on better authentication and key distribution schemes. These approaches have little to do with detecting an attack, and will always have vulnerability, namely theft of identity.
Currently, an attacker who wishes to impersonate a node (client or access point) in an authenticated network (802.1x or PSK) somehow steals their authentication credentials (e.g., PSK, private keys, certificates, etc.) and then uses it for their authentication. While impersonating a node, the attacker may or may not choose to use the MAC address of the node being impersonated.
The 802.11 protocol is designed in a manner such that all nodes receive all packets that are transmitted. Each node then proceeds to read the destination MAC address of every packet. If the destination MAC address corresponds to their own MAC address, the node proceeds to read the contents of the packet. Otherwise, the node discards the packet. This results in several problems. One problem is that the MAC address, even though it acts to authenticate hardware, is not used for authentication.
Security companies in the security market have developed sensors that monitor for multiple transmissions using the same MAC addresses from different locations. While these sensors are useful, they are typically expensive and result in additional hardware being added to the nodes.
In view of the foregoing background, it is therefore an object of the present invention to prevent impersonating attacks on a wireless node without requiring additional hardware for the node.
This and other objects, features, and advantages in accordance with the present invention are provided by a wireless communications network comprising at least one access point, and a plurality of wireless nodes for communicating with the at least one access point. Each access point and wireless node has a respective authentication token and address associated therewith.
The access point and wireless nodes may communicate using packets. Each packet may comprise an authentication token, an origination address and a destination address. During the communicating, each access point may read and store the respective authentication tokens and origination addresses wirelessly transmitted from the wireless nodes for defining an allowed wireless node list. Likewise, each wireless node may read and store the respective authentication tokens and origination addresses wirelessly transmitted from each access point for defining an allowed access point list.
Each wireless node does not associate with any one of the access points if both an authentication token and an address for that access point are not on the allowed access point list. Each access point also does not associate with anyone of the wireless nodes if both an authentication token and an address for that wireless node are not on the allowed wireless node list.
An advantage of the present invention is that wireless nodes actively deal with attackers trying to impersonate an access point, and access points actively deal with attackers trying to impersonate a wireless node. This gain in security is achieved with relatively minor modifications to the software and middleware of network cards of wireless products The wireless nodes and access points read an additional field, i.e., the originating address. Moreover, complicated sensor installations are not required to provide this gain in security.
Each access point may monitor packets being wirelessly transmitted within the wireless communications network by reading the originating addresses of each transmitted packet. If a read origination address matches the address of the access point, and the access point did not transmit the packet, then a determination is made that an attacker is impersonating the access point
If an attacker is impersonating the access point, several actions may be taken by the access point. The access point may switch to another communications channel, transmit a warning message by increasing its transmits power to drown out transmission by the attacker, or notify a network administrator.
If an attacker is impersonating a wireless node, several actions may be taken by the wireless node. The wireless node may switch to another communications channel, transmit a warning message by increasing its transmits power to drown out transmission by the attacker, or notify a network administrator.
Each access point may have identifying information associated therewith, and when one of the wireless nodes is associating with the access point, the wireless node may display the identifying information to a user of the wireless node. The identifying information may correspond to the authentication token of the access point. If a user of a wireless node is operating in another wireless communications network, for example, and an attacker is using an authentication token and address from the approved list of access points, the identifying information helps to notify the user that an attacker is impersonating an access point that is in a different location.
The wireless communications network may further comprise an authentication server coupled to each access point so that the wireless communications network is configured as an authenticated network. The access points and wireless nodes are operating based upon a PSK protocol or an 802.1x protocol. The addresses may comprise MAC addresses
Another aspect of the present invention is directed to a method for detecting impersonating attacks in a wireless communications network as defined above. The method may comprise wirelessly transmitting packets from the access points to the wireless nodes, where each packet may comprise an authentication token, an origination address and a destination address Each wireless node may read and store the respective authentication tokens and origination addresses of each access point for defining an allowed access point list. Each wireless node wirelessly transmits packets to the access points, where each packet may comprise an authentication token, an origination address and a destination address. Each access point may read and store the respective authentication tokens and origination addresses of the wireless nodes for defining an allowed wireless node list.
The wireless nodes do not associate with an access point if both an authentication token and an address associated therewith are not on the allowed access point list, and the access points do not associate with a wireless node if both an authentication token and an address associated therewith are not on the allowed wireless node list.
The present invention will now be described more fully hereinafter with reference to the accompanying drawings, in which preferred embodiments of the invention are shown. This invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
Referring initially to
When a wireless node 60 connects to the distribution system, a user name and authentication token (e.g., a password) is entered. This information is passed to the authentication server 90. The authentication server 90 checks that the information is correct. Also connected to the distribution system is the Internet or other LAN resources 100. The access point 70 and the wireless nodes 60 operate based upon a PSK or 802.1x protocol, for example.
As will be discussed in greater detail below, the access point 70 and each wireless node 60 have a respective authentication token and address associated therewith. The access point 70 and wireless nodes 60 communicate using packets. Each packet comprises an authentication token, an origination address and a destination address. The addresses may be MAC addresses, for example.
During the communicating, the access point 70 reads and stores the respective authentication tokens and origination addresses wirelessly transmitted from the wireless nodes 60 for defining an allowed wireless node list 72. Each wireless node 60 reads and stores the authentication token and origination address wirelessly transmitted from the access point 70 for defining an allowed access point list 62.
A wireless node 60 does not associate with an access point 70 if both an authentication token and an address for that access point are not on the allowed access point list 62. Similarly, an access point 70 does not associate with anyone of the wireless nodes 60 if both an authentication token and an address for that wireless node are not on the allowed wireless node list 72.
An advantage of the present invention is that wireless nodes 60 actively deal with an attacker 75 trying to impersonate an access point 70 by reading an additional field, i.e., the originating address, of the packets transmitted by the attacker. The access point 70 also actively deals with an attacker 65 trying to impersonate a wireless node 60 by reading the originating address of the packets transmitted by the attacker This gain in security is achieved with relatively minor modifications to the software and middleware of network cards in the wireless devices.
Block diagrams of the access point 70 and a wireless node 60 will now be discussed in reference to
Similarly, each wireless node 60 includes an antenna 61, transceiver 64, a memory and a controller 68. When the wireless node 60 receives packets from the access point 70, the respective authentication tokens and origination addresses for the access point are stored in the memory 66 coupled to the transceiver 64. An antenna 61 is coupled to the transceiver 64. The respective authentication tokens and origination addresses are used to define the allowed access point list 62 that is also stored in the memory 66. The controller 68 causes the transceiver 64 not to associate with an access point 75 if both an authentication token and an address for that access point are not on the allowed access point list. This access point 75 is an attacker or impersonating access point.
As discussed above, the present invention is directed to detecting man-in-the-middle, session hijacking and other impersonation attacks on a wireless node 60 and an access point 70. Certain scenarios will now be discussed along with the requirements necessary to implement this concept A key feature of this concept requires wireless nodes (and access points) to read the originating MAC address of all packets they capture from the air—currently they read only the destination MAC address.
A first requirement is that all nodes 60, 70 cache the MAC address of its communicating partner along with the authenticating credential used by it. In office networks where there may be several access points with different MAC addresses using the same AAA authentication token, the MAC addresses of all allowed access points along with the authenticating token of the AAA server (in most cases the public key) be stored on all wireless nodes. The authentication tokens and MAC addresses of all clients are also stored on all access points. In other words, if node B (having, for example, a MAC address of 00-06-5B-15-04-B4 and an authenticating token joe_harry56) communicates with node A at some point in the past, node A will cache the MAC address 00-06-5B-15-04-B4 with joe_harry56.
A second requirement is that a node that caches addresses as defined above not associate with any node that uses an existing authenticating token with a different MAC address if the MAC address being used is not on the “allowed list.” In the above example node A will not associate with node E if node E uses a MAC address of 01-00-5A-14-04-B4 with the authentication token joe_harry56 and the MAC address of node E is not in the “allowed list” of node A. The implicit understanding is that only certain access points are allowed.
A third requirement is that nodes read the originating MAC address of each packet they see transmitted over the air. If the node reads the originating MAC address and finds packets being transmitted (or even a single packet) using its MAC address then it knows that somebody is trying to impersonate him.
Knowing that somebody is trying to impersonate him a node can be passive and switch to another channel; be active and transmit a warning message (which may be proprietary) by momentarily increasing its transmit power to drown out the impersonating packets; or take a higher layer action (e.g., notifying the network administrator).
A fourth requirement to make the wireless communication system 50 more secure is by providing a higher layer security protocol that informs a wireless node 60 of some information about the node they are associating with For example, suppose at the time of configuration a particular SSID was configured to be the “finance_dept.” Now every time the wireless node associates with a network that uses this SSID, a popup on the user's screen will ask the user if they are indeed inside the “finance department.” If the user knows they are at a coffee shop (for example) they can then choose not to associate with this fake network that pretends to be the finance department.
The benefits for an enterprise network (when combining the above requirements) are as follows. Suppose an attacker steals the authentication credentials of an AAA server 90. They then try to use this credential to authenticate themselves to a wireless node 60. They will find that no wireless node belonging to the network 50 will be willing to associate with them if their MAC address does not match that of an allowed access point 70 (i.e., the MAC addresses of the office access points). This is a consequence of the first and second requirements.
If they try to fake their MAC address so that it matches that of an office access point 70 and they try to associate with the wireless node 60 when the wireless node is actually in the office, the legitimate access point 70 will be able to hear his MAC address being used and will then take appropriate action (e.g., send a warning message, alert administrator and so on). This is a consequence of the third requirement.
If they fake their MAC address so that it matches an office access point 70 and they try to associate with the wireless node 60 when the wireless node is out of the office, the wireless node will be prompted about their location and will choose not to associate with the attacker 65. This is a consequence of the fourth requirement. Thus an attacker with the credentials of the AAA server 90 cannot launch impersonation attacks.
Suppose now an attacker steals the authentication credentials of a wireless node 60. It is now much harder for him to use it because he has to use the MAC address of the client, otherwise the network 50 will not associate with the attacker 65. This is a consequence of the first and second requirements. The attacker 65 has to authenticate from a location where the legitimate wireless node 60 cannot hear his transmissions because otherwise the wireless node would trigger an alert. This is a consequence of the third requirement. Alternatively, the attacker 65 would have to attack at a time when the wireless node 60 is not in the office. Higher layer security features can be used to dissuade such attacks.
The benefits for a home wireless node 60 or a home access point 70 similarly equipped are the same as discussed above. A flow chart for preventing an attack on a wireless node 60 by an attacker 75 impersonating as an access point 70 is shown in
A flow chart for preventing an attack on an access point 70 by an attacker 65 impersonating a wireless node 60 is shown in
Another aspect of the present invention is directed to a method for detecting impersonating attacks in a wireless communications network 50 as defined above. The method comprises wirelessly transmitting packets from the access points 70 to the wireless nodes 60. Each packet comprises an authentication token, an origination address and a destination address.
Each wireless node 60 reads and stores the respective authentication tokens and origination addresses of each access point 70 for defining an allowed access point list 62. Each wireless node 60 wirelessly transmits packets to the access points 70, where each packet may comprise an authentication token, an origination address and a destination address. Each access point 70 reads and stores the respective authentication tokens and origination addresses of the wireless nodes for defining an allowed wireless node list 72, The wireless nodes 60 do not associate with an access point 70 if both an authentication token and an address associated therewith are not on the allowed access point list 62, and the access points do not associate with a wireless node if both an authentication token and an address associated therewith are not on the allowed wireless node list 72.
Many modifications and other embodiments of the invention will come to the mind of one skilled in the art having the benefit of the teachings presented in the foregoing descriptions and the associated drawings. Therefore, it is understood that the invention is not to be limited to the specific embodiments disclosed, and that modifications and embodiments are intended to be included within the scope of the appended claims.
Rahman, Shamim Akbar, Mukherjee, Rajat Pritam
| Patent | Priority | Assignee | Title |
| 10275377, | Nov 15 2011 | CAVIUM INTERNATIONAL; MARVELL ASIA PTE, LTD | Dynamic boot image streaming |
| 10979412, | Mar 08 2016 | NXP USA, INC | Methods and apparatus for secure device authentication |
| 8296555, | Sep 18 2008 | MARVELL INTERNATIONAL LTD; CAVIUM INTERNATIONAL; MARVELL ASIA PTE, LTD | Preloader |
| 8321706, | Jul 23 2007 | MARVELL INTERNATIONAL LTD; CAVIUM INTERNATIONAL; MARVELL ASIA PTE, LTD | USB self-idling techniques |
| 8327056, | Apr 05 2007 | CAVIUM INTERNATIONAL; MARVELL ASIA PTE, LTD | Processor management using a buffer |
| 8443187, | Apr 12 2007 | CAVIUM INTERNATIONAL; MARVELL ASIA PTE, LTD | Authentication of computing devices in server based on mapping between port identifier and MAC address that allows actions-per-group instead of just actions-per-single device |
| 8443211, | Jan 05 2009 | MARVELL INTERNATIONAL LTD; CAVIUM INTERNATIONAL; MARVELL ASIA PTE, LTD | Hibernation or suspend using a non-volatile-memory device |
| 8510560, | Aug 20 2008 | CAVIUM INTERNATIONAL; MARVELL ASIA PTE, LTD | Efficient key establishment for wireless networks |
| 8688968, | Sep 18 2008 | MARVELL INTERNATIONAL LTD; CAVIUM INTERNATIONAL; MARVELL ASIA PTE, LTD | Preloading an application while an operating system loads |
| 8839016, | Jul 23 2007 | MARVELL INTERNATIONAL LTD; CAVIUM INTERNATIONAL; MARVELL ASIA PTE, LTD | USB self-idling techniques |
| 8843686, | Apr 05 2007 | CAVIUM INTERNATIONAL; MARVELL ASIA PTE, LTD | Processor management using a buffer |
| 9141394, | Jul 29 2011 | MARVELL INTERNATIONAL LTD; CAVIUM INTERNATIONAL; MARVELL ASIA PTE, LTD | Switching between processor cache and random-access memory |
| 9253175, | Apr 12 2007 | CAVIUM INTERNATIONAL; MARVELL ASIA PTE, LTD | Authentication of computing devices using augmented credentials to enable actions-per-group |
| 9436629, | Nov 15 2011 | CAVIUM INTERNATIONAL; MARVELL ASIA PTE, LTD | Dynamic boot image streaming |
| 9575768, | Jan 08 2013 | CAVIUM INTERNATIONAL; MARVELL ASIA PTE, LTD | Loading boot code from multiple memories |
| 9652249, | Sep 18 2008 | MARVELL INTERNATIONAL LTD; CAVIUM INTERNATIONAL; MARVELL ASIA PTE, LTD | Preloading an application while an operating system loads |
| 9736801, | May 20 2013 | CAVIUM INTERNATIONAL; MARVELL ASIA PTE, LTD | Methods and apparatus for synchronizing devices in a wireless data communication system |
| 9769653, | Aug 20 2008 | CAVIUM INTERNATIONAL; MARVELL ASIA PTE, LTD | Efficient key establishment for wireless networks |
| 9836306, | Jul 31 2013 | MARVELL INTERNATIONAL LTD; CAVIUM INTERNATIONAL; MARVELL ASIA PTE, LTD | Parallelizing boot operations |
| 9860862, | May 21 2013 | CAVIUM INTERNATIONAL; MARVELL ASIA PTE, LTD | Methods and apparatus for selecting a device to perform shared functionality in a deterministic and fair manner in a wireless data communication system |
| Patent | Priority | Assignee | Title |
| 5351295, | Jul 01 1993 | HEWLETT-PACKARD DEVELOPMENT COMPANY, L P | Secure method of neighbor discovery over a multiaccess medium |
| 6230022, | Dec 27 1997 | Sony Corporation | Transmitting method and apparatus, and sending power controlling method |
| 6775657, | Dec 22 1999 | Cisco Technology, Inc.; Cisco Technology, Inc | Multilayered intrusion detection system and method |
| 7120136, | Apr 26 2004 | MOTOROLA SOLUTIONS, INC | Mobile station mobility in a wireless LAN |
| 20020085719, | |||
| 20030051140, | |||
| 20030087629, | |||
| 20030232598, | |||
| 20040077335, | |||
| 20040198220, | |||
| 20040243846, | |||
| 20050021979, | |||
| 20050030929, | |||
| 20050144544, | |||
| 20050163078, | |||
| 20050177723, | |||
| 20050213579, | |||
| 20050259657, | |||
| 20060094400, | |||
| 20060099929, | |||
| 20060161983, | |||
| 20060173781, | |||
| 20060259759, | |||
| 20060294379, | |||
| 20070038866, | |||
| 20080043686, | |||
| 20080127320, |
| Executed on | Assignor | Assignee | Conveyance | Frame | Reel | Doc |
| Oct 26 2006 | InterDigital Technology Corporation | (assignment on the face of the patent) | / | |||
| Oct 30 2006 | RAHMAN, SHAMIM AKBAR | InterDigital Technology Corporation | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 018712 | /0591 | |
| Nov 24 2006 | MUKHERJEE, RAJAT PRITAM | InterDigital Technology Corporation | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 018712 | /0591 |
| Date | Maintenance Fee Events |
| Aug 27 2015 | M1551: Payment of Maintenance Fee, 4th Year, Large Entity. |
| Nov 11 2019 | REM: Maintenance Fee Reminder Mailed. |
| Apr 27 2020 | EXP: Patent Expired for Failure to Pay Maintenance Fees. |
| Date | Maintenance Schedule |
| Mar 20 2015 | 4 years fee payment window open |
| Sep 20 2015 | 6 months grace period start (w surcharge) |
| Mar 20 2016 | patent expiry (for year 4) |
| Mar 20 2018 | 2 years to revive unintentionally abandoned end. (for year 4) |
| Mar 20 2019 | 8 years fee payment window open |
| Sep 20 2019 | 6 months grace period start (w surcharge) |
| Mar 20 2020 | patent expiry (for year 8) |
| Mar 20 2022 | 2 years to revive unintentionally abandoned end. (for year 8) |
| Mar 20 2023 | 12 years fee payment window open |
| Sep 20 2023 | 6 months grace period start (w surcharge) |
| Mar 20 2024 | patent expiry (for year 12) |
| Mar 20 2026 | 2 years to revive unintentionally abandoned end. (for year 12) |